CVE-2026-28679 is a path traversal vulnerability classified under CWE-22 found in xemle's Home-Gallery, an open-source self-hosted web gallery application for browsing personal photos and videos. The vulnerability exists in versions prior to 1.21.0 due to improper validation of file download requests. Specifically, when a user requests to download a file, the application does not verify whether the requested file resides within the designated media source directory. This lack of pathname restriction allows attackers to craft malicious requests that traverse directories (e.g., using '../' sequences) to access arbitrary files on the server's filesystem outside the intended directory. Because the vulnerability requires no authentication or user interaction and can be exploited remotely over the network, it poses a significant risk. The impact is primarily on confidentiality, as attackers can download sensitive system files, configuration files, or other private data. The vulnerability does not affect data integrity or availability. The issue was addressed and patched in Home-Gallery version 1.21.0 by implementing proper pathname validation to restrict downloads strictly to the media source directory. No known public exploits have been reported to date, but the high CVSS score of 8.6 reflects the ease of exploitation and potential impact. Organizations running vulnerable versions should prioritize upgrading to the patched release to eliminate this risk.

The primary impact of CVE-2026-28679 is unauthorized disclosure of sensitive information due to arbitrary file download capability. Attackers can access system files such as configuration files, password files, or application secrets that reside outside the media directory. This breach of confidentiality can lead to further attacks, including credential theft, lateral movement, or exposure of private user data. Since the vulnerability does not affect integrity or availability, the system's operation remains intact, but the loss of confidentiality alone can have severe consequences, especially in environments with sensitive data. Organizations using Home-Gallery in production or exposed to untrusted networks are at risk of data leakage. The vulnerability's ease of exploitation without authentication or user interaction increases the likelihood of automated scanning and exploitation attempts. This can lead to widespread compromise of vulnerable instances, particularly if the application is internet-facing. The absence of known exploits in the wild currently limits immediate impact but does not reduce the urgency to patch. Failure to remediate could result in data breaches, regulatory non-compliance, and reputational damage.

1. Upgrade Home-Gallery to version 1.21.0 or later immediately to apply the official patch that enforces proper pathname validation. 2. If upgrading is not immediately possible, implement web server-level access controls to restrict access to sensitive directories outside the media source directory, such as using directory whitelisting or deny rules. 3. Employ a Web Application Firewall (WAF) with rules to detect and block path traversal patterns (e.g., '../') in HTTP requests targeting download endpoints. 4. Conduct regular audits of file access logs to detect anomalous download requests that may indicate exploitation attempts. 5. Isolate the Home-Gallery application in a segmented network zone with minimal privileges to limit potential damage from compromise. 6. Educate administrators and users about the importance of timely updates and monitoring for suspicious activity. 7. Review and harden filesystem permissions to ensure that the application process has access only to necessary directories and files. 8. Consider implementing application-layer input validation and sanitization as an additional safeguard against malformed requests.